Roles & API Keys
Roles and permissions
Section titled “Roles and permissions”Four built-in roles cover the common cases. Each row below is an individually checkable permission verb; Admin is a catch-all that satisfies any check.
| Permission | admin | developer | operator | viewer |
|---|---|---|---|---|
| FlowRead | ✓ | ✓ | ✓ | ✓ |
| FlowWrite | ✓ | ✓ | ||
| FlowInvoke | ✓ | ✓ | ✓ | |
| InvocationRead | ✓ | ✓ | ✓ | ✓ |
| InvocationDelete | ✓ | ✓ | ||
| InvocationTerminate | ✓ | ✓ | ||
| EnvironmentRead | ✓ | ✓ | ||
| EnvironmentWrite | ✓ | ✓ | ||
| SystemRead | ✓ | |||
| UserManage | ✓ | |||
| Admin (catch-all) | ✓ |
Roles map to intent: admin (full), developer (flows/envs), operator (invoke/monitor), viewer (read-only). A custom role can grant FlowInvoke without Admin for a least-privilege automation account. If you don’t know your role, the whoami REST endpoint (or the equivalent MCP tool) returns it.
API keys for service-to-service
Section titled “API keys for service-to-service”Keys are scoped to a user or a role, can be rotated without service disruption, and are revealed exactly once on creation.
Rotation is a rotate-api-key call: the old key keeps working until you delete-api-key it, so a CI pipeline can pick up the new key on its next run before the old one is revoked. This is the path for wiring monitoring, deployment, and scheduled invocations into your installation.
An API key can be user-bound — invocations carry an owner_user_id claim, so per-user credential overrides apply to automation as they would to the human.
Audit trail
Section titled “Audit trail”Every authenticated mutation lands in the audit log: create flow, update environment, set secret, rotate API key, transition staging, promote to production, login attempts (success and failure), API key creation/revocation, role assignment changes. Each entry is a structured Serilog event with:
Timestamp · EventType · UserId · EntityType / EntityId · Outcome · (SourceIp · InvocationId when applicable)Entries route through the standard Serilog pipeline — same sinks as the rest of platform logging. For compliance retention, ship the audit log to your SIEM (ELK, Loki, Splunk) via the configured sink; the local file sink is for short-term troubleshooting. The log is queryable via /api/v1/platform/logs for ad-hoc investigation.